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(Rev. 05-01-2008) 


UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Washington Field 
New York 

From: Washington Field 
CY4/NVRA 

Contact: 


Date: 04/23/2012 


Attn: 


CY-4 

CY-2, SA 


% Ml for ^ 


b6 

b7C 


3^(^§iaVs 


;ub. 


J 


Approved By: 
Drafted By: 
Case ID #:| 


35 ij' 


Title: UGNAZI; 


[_ P**nrH rift ) 


TEAM-DIVERSITY; 

DC.GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 

Synopsis: Request captioned matter be 
writer. 


Closed: C4 / C5 
Class & Alpha 

PI . / Full _ b7E 

Begins_ / / — Expires. — 

Assign To 


6 JL 

opened and assigned to the 


Details: The purppse of this EC is to -request captioned matter 
be opened and assigned to the writer. This matter is predicated 
based on information received from the complainant/victim 
organization. Government of District of Columbia (DC). 

On 4/20/2012, WFO CY-4 received information tha t the 
PC's web site, DC.gov, was under attack. Writer talked to I I 
I ~l Chief Technology Officer, Office of the Chief Technology 

Officer (OCTO), Government of the District of C olumbia. 441 4 th 
St. NW, Washington, DC 2 0001. tel ephone number 


b6 

b7C 


3 


via 


telephone the same day. |_] reported DC.gov website was 

under Distributed Denial of Service (DDOS) attack since 4/18/2012 
6:45pm, 25 hours into the attack, OCTO was able to restore the 
website and contained the DDOS attack. OCTO did n ot detect any 
intrusions into DC government's computer network. I ~1 

forward writer an email contained possible perpetrators' twitter 
postings, postings at Pastebin.com, and a link to team- 
diversitv.ne t. Within the tw itter postings, user account l~ 

I ” tIGNa z j @ITflNa z i " ■ I 

__ \ ana~ | | claimed 

taking down DC, New York City, and NASDAQ websites. The twitter** 

UNCLASSIFIED 


I 


t)'lz//Lcc. . 










i 
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UNCLASSIFIED 



To: 

Re: 


Washington Fi eId From: 

104/23/2012 


Washington Field 


b7E 


postings .included a link to Pastebin.com posting which revealed 
DC city mayor Vincent C Gray's personal identification 
information (PII). 

On 4/20/2012, writ er talked to DC Metrop olitan Police 
Departm ent Task Force Offlee [ I telephone 

number: I I via telephone. I I sta~ted the MPD was 

aware of the leak of DC Mayor's PH. The leaked PII was not 
accurate and some were outdated. 


and "UGNazi 


Open source search on 

@UGNazi"revealed two hacker group UGNazi, with website at 

UGNazi.com, and Team Diversity at team-diversitv.net. _ UGNazi _ 

members were |__,_| 

I I Team Di versity members were 


ACS search on 


New York fiel d office's c ase, case number | 

In serial 40, | [ identified as following: 

True Name 
Alias:r 


reveal ed he is the sub ject of 

I -UGNAZI. 


Monikers 

Address: 


DOB: 


] (former) 


(current) 


SSN; 

Emai: 


ICQ: 

MSN: 

Skype:| 

Twitter: 

Website: 


Based on the information above, W 
Investigation be opened and assigned to SA I 


FO request that a Full 


UNCLASSIFIED 
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UNCLASSIFIED 


To: 
Re: 


Washington Fi eld From: 

I 04/23/2012 


Washington Field 


LEAD(s): 

Set Lead 1: (Info) 

NEW YORK 

AT CY2 

Read and clear. 


♦♦ 


UNCLASSIFIED 








FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 


On 4/24/2012, | Chief Technology Officer, 

Office of the Chief Technology Officer (OCTO), Government of the 
District of Colum bia. 441 4th St . NW, Washington, DC 2QQQ1, • 

telephone number: I 1 email: |_| was 

inte rviewed in Wa shington. D.C. Also present during the interview 
were | I ema il address: | I t elephone 

number: I | cell phone number: I 1 After being 

advised of the identity of the interviewing agent and the nature of 
the interview, provided the following information: 

_provided two CDs, one contained PCAP files and 

graphs from Distributed Denial of Service (DDOS) attack from 
4/18/2012 to 4/19/ 2012, and the other contained the firewall logs 
from that attack. | ~| stated the personal information on DC 

Mayor was not accurate and it was not the result of any computer 
intrusions in DC government network. DC government has not 
discover any other DC government employee's personal information 
was published on the internet. 


|_| introduced writer to I __| Security 

Operati ons, Office of the Ch ief Technology Officer, telephone 
number: I I email: | I is 

the point of contact for any technical questions regarding the DDOS 
attack. 


is) 11 b s 






investigation on 4/24/2012 Washington, DC 


by SA 


Date dictated 


This document contains neither recommendations nor conclusions of the )FB1. It is the property of the FBI and i$ loaned to your agency; 
it and its contents are not to he distributed outside your agency. 
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UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 05/01/2012 


To: Washington Field Attn: CY4 

From: Washington Field 

CY4/NVRA .- 

Contact: 


Approved By: 


Drafted By: 


Case ID #: 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 

DC GOV - VITIM; 

COMPUTER -INTRUSION - CRIMINAL 


Synopsis: Documenting finding on 



Details: O n 5/1/2012, writer foun d a twitter posting between 
randj I who is a reporter from 

] In the posting.I Htoldf I to 


contact him at| 
on dc.gov websice. 


to discuss his attacks 


email listed ini 


A Goo gle sea rch Using on email 


an 


]s DOX information, revealed the following 


website that link the Comca st email account to the "Team 
Diversity" member 


Additional searches revealed the following information: 


The third ireturn result in Google's organic (non-paid) 
search returns was titled "Hack Forums - {Team Diversity} Selling 
GT: stfu" and located at www.hackforums.net > Hack Forums > 
Marketplace > Gametags. The excerpt in the search return 
included the following text, "05-20-2011, 3:39 PM. GT Control 
Proof: S poiler (Click to Vie w). (Image: glQ59.jpg]. Contact AIM: 
XBLTime. | 1 ' 


b6 

b7C 


b7E 


b6 

b7C 


b6 

b7C 


b6 

b7C 


UNCLASSIFIED 
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UNCLASSIFIED : 


To: 
Re: 


Washington Field From: Washington Field 
I 05/01/2012 


b7E 


A post made to codeupload.com (codeu ploade.com/4851) on 23 


December 2011c at 5:15 pm UTC advertising T 
stated the fol lowing information. 

1 


2 . 

3. 

4. 

5. 

6 . 

7. 

8 . 
9 . 


J 


J 


Team Diversity Gamertags 
Team Diversity 
Team Diversity 


http;//www.youtube.com/watch?tvsbWzJZEixH9a 
The referenced YouTube post was no longer available at the time 
of the open source searches. 




| using the moniker 

on May 12 


contained the following, "ADD 
5:05 pm and "Selling Diversity 
Jan 20 at 5:54. PM. 

An Xbox Live Profile (live.xbox.com/en-US/Profile?gametag=my 
bolt action) list ^ in the BIO section the fo llowing inf ormatio n, 
"Team Diversity - 


. an d "AIMS:f 
JYouTube.com j 


Writer intended, to subpoena registration information on 
these email accounts and. request search warrants as well. 


♦♦ 
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(Rev. 05-01-2008) 


UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/01/2012 

To: Washington Field Attn: CY4 

From: Washington Field 
CY4/NVRA ._ 

Contact: 


Approved By: 
Drafted By: 


Case ID #: 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 

COMPUTER INTRUSION ~ CRIMINAL 


Pending) 


Synopsis: Documenting email communication with New York office. 


Details: On 4/27/2012, writer received a email from SSA|_ 

I I regarding terminat ing the lead to Los Angeles to interview 

possible suspect I 1 in order to avoid operational conf lict 

with the FBI New York investigation. Writer will continue all 
other logical investigative steps to move case forward. 


b6 

b7C 


b7E 


b6 

b7C 


♦♦ 


UNCLASSIFIED 












(Rev. 05-01-200$) 


UNCLASSIFIED/ 7FO!T73E E3Eeja^dBSE-~OIg^ 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 


Date: 04/23/2012 

To: Washington Field 

New York 

Attn: 

SA 


Attn: 

SSA 


Minneapolis 

Attn: 

SSA 

SA 1 

1 - 

Phoenix 

Attn: 

SSA 



From: Washington Field 

ID-3, CY-4/N VRA/3S 

Contact: IA 


Approved By: 
Drafted By: 



Case ID # 


,a 

^/<Zf7 fWl 


b6 

b7C 


1740MP-74385 (Pending) — /£ 


b7E 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 


UNSUBXsl 
AKA 
AKA 
AKA 

CHASKA POLICE DEPARTMENT, 

02/22/2012, 

TELEPHONE BOMB THREATS 


(VICTIM) 


b6 

b7C 


Synopsis: (U) To document open source searches .revealing DDoS, 

hacking and doxing activity by members of the UGNazi Hacktivist 
Group. 

Enclosure(s) : Print-outs of referenced web pages will be 
maintained to the captioned investigation's case file via TA. 

Details: (U/ZF£Ud5 By way of background, Washington Field Office 

(WFO) squad CY-4 opened the captioned investigation into the 
hacktivist group "UGNAZI" in April '2012 based on the group's 
claims of responsibility for online attacks targeting computer 
network infrastructure belonging to the District of Columbia 

UNCLASS IFIED//TORlOEEleTAE=UlEllQ5^ 
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UNCLASSIFIED/ /F5R~OEE £SjEAfc=HSE~~C 

Washington Fiel d From: Washington Field 
II 04/23/2012 


(Reference)_ 

searches for" 


for details). Open source 
le following identified group members 


revealed the following information. 

(U) A .19 April 2012 post to the "UGNaziNews" 

(twitter.com/#!/UGNazi News)Twitter feed, hereafter referred to as 


Istated, 


hereafter referred to as 


|_ _ _| The hyperllnked text ending in|_| linked 

to an amage at the Uni form Resource locator (URL) 

|that displayed a web page not available 
error mess age tor nyc.gov. The hyperll nked text ending in 
| [linked to an image at the URL I I 

that displayed a web page not available error for dc.gov. 

(U) A 1.9 April 20 12 post to the UGNaziNews Twitter feed bv_ 

1 stated/ I _I 

I T1 

hyperllnked URL linked to a news story about the Hacker Group 
UGNazi conducting Distributed Denial of Service (DDoS) attacks 
against dc.gov and nyc.gov as an act of protest against the US 
Government. 

(U) A 1.9 April 20 12 post to the UGNaziNews Twitter feed bv 

| |stat-piri. I | 

___| The nyperrinxea tc 

ending ini Ili nked to an image at the URL 

that displayed a web page not available 
error tor washington.org. 

(U) A 19 April 20 12 post to the UGNaziNews Twitter feed bv_ 

I stated. I _ 

I The hyperllnked pastebin URL linked to a 
pastebin post that contained Personal Identifying Information 
(PII) for Washington DC Mayor Vincent Gray; including Date of 
Birth (DOB), Social Security Number (SSN), phone numbers and 
addresses. 

(U) A 19 April 20 12 post to the UGNaziNews Twitter f eed by 
I I stated. I ~l 

I The hyperlinked 
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UNCLASSIFIED//F0& 


iald From; Washington Field 
04/23/2012 


URL linked to an image at 

web page not available error tor nasciaq.com. 


that displayed a 


(U) A 20 April 20 12 post t^ 

I stated,I 


SNaziNews Twitter feed bj 

I 1 I. Th<T~ 


hyperiinked URL .linked to an image at I 
displayed a web page not available error for 


I that 


(U) A 20 April, 20 12 post to the UGNaziNews Twit ter :feed by 

Istated, I ~l 

■ ~J 1 The hyperiinked URL linked to an 

image at I _[that displayed a Web page not 

available error for wa.gov. 


CU) A 23 April 20 12 post tQ_ 


JaziNews Twitter .feed by 


l -The hyperiinked pastebin URL 

linked to pastebin post that contained a message apparently 
protesting the Cyber Intelligence Sharing and Protection Act - 
H.R. 3523 and listing the following pastebin URLs under the 


’t order 
] at the 


(U) The hyperiinked'URL I \ linked to a 

pastebin post made in apparent . retaliation for law enforcement 
actions against XulzSec members! 


UGNazi member 

1 1claimed to navel 1 

i 

1 and -listed alleged 


FBI agents allegedly involved in brining d own LulzSec. The 7 
-alleged FBI agents dOxed in the post Were: I I_ 

~1 The dOx listed credit card numbers, 
CVC2s, fbi.gov email addresses and passwords. -The email 

UNCLASSIFIED//TOR]5FFfeiAi : liSE^^LY^ 
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UNCLASSIFIED//FOR'OFFIGIALUSE'! 

Washington Fiel d From: Washington Field 
I 1 04/23/2012 


addresses did not conform to the format used by FBI email 
accounts used on either unclassified or classified networks. 

(U) FBI intranet directory searches on the names of 

aforementioned dOxed agents did not return BPMS d irectory _ 

listings :for FBI employees; wit h the exception of I I 

which return ed information on a | | J 

| | whose work telephone number indicated he works out 

°* i i 

(U) The hyperlinked I | .Xlnked to a 

pastebin post that -listed PII for -5 alleged "CIA Field Agents ". 
The post claimed the PI I Was obtained .by hacking cia.gov email 
accounts. 

(U) A 23 April pos t t o the UGNaziNe ws Twitter "feed by the 

I I the f |Twitter profils_ 

I I # nereatter ref err ed to as I I 

Twitter, stated, "#FBI Document -leaked - 

|_ \ The hyperlinked paste bin URL 

linked to the aforementioned pastebin post tweeted by I I 


(U) A 23 April 20 12 post 


-feed by 


le hyperlinked URL linked to an image at 
1 that displayed a web not available error 


:or cra.gov. 


(U) A 23 April post to the UGNaziNews Twitte r ;feed bv the 
owner/operator of the UGNazi Twitter profile | 
hereafter referred to as the UGNazi Twitter, stated. I 


(U) A 23 April 201 2 post to the UGNazi 
^the Twitter account [ 


by the 


By I 

URL linked to a I I 

print ed) list of PI.I for 
I I and his family, as j 
email messages in which \_ 


The hyperlinked 


ts What appeared to be content of 
indicates that he "swatted" people. 


UNCLASSIFIED//FOR~0l 
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(U) The! _ I dOx contained a URL to an image at 

which displayed what appeared to be the 
contact page tor an online bank acc ount or credit card account 
manager for an 'accoun t belonging to | ~ 

I I Based on the location of the URL in the 

dOx, right below I \ s Visa credit card information, it 

is assessed with medium confidence that this screen shot image 
may be for an account manager page tied to that credit card. 

(U/z^fOU^) An ACS search revealed a connection between 

and a series of telephoni c bomb threats being inves tigated bv FET 

Minneapolis Division (See .for details) . 

(U//J&33U81 The following emails listed in thel _| dOx were 

run as search terms in ACS. The search y ielded one positive 
result for the email I f The serial documented 

open sou rce derived infor mation which tied the email account to 
the nam e I I which is yerv similar to the alias 

H asted an the uuNazi dOx of I I (See 174C- MP -74385, 

serial 9 for details). The dOx also lists l I as i I 

I s AOL -I nstant Messe nger ID which is ponsist^nt with_ 

references to I I documented to 
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unc: 


% 


To: 

Re: 


Washington Field 


From: Washington Field 
04/23/2012 


b7E 


Analysis: 

(U//£©UCS) It is assessed with high confidence that the UGNazi 
hacktivist group did not compromise FBI or CIA employee email 
accounts as claimed in the aforementioned dOxing posts and NYO 
ADIC letter post made by UGNazi members to pastebin. This 
assessment is based on the following indicators that suggest the 



b6 

b7C 


b6 

b7C 

b7E 


(U//^30UJj) It is assessed with medium to high confidenc e that the 
dOx .published by the UGNazi hacktivist group targeting I 
I I is true information possibly obtained by UGNazi 

members through the compromise of one or more of the email 
accounts listed in the dOx. This assessment is based upon the 
preponder ance of corroborating information listed below. _ 


b6 

b7C 


b6 

b7C 

b7E 
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b6 

b7C 


ased on the aforementioned details corroborating the 
dOx it is assessed with medium confidence that one or 
more members of the UGNazi hacktivist group are capable (both In 
motivation and skill level) of committing computer network 
Intrusion and/or social engineering resulting in the compromise 
of online password protected accounts. 
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iY 


To: Wash!nation Field From: Washington Field 
Re: | 04/23/2012 


Accomplishment Information: 

Number: .1 

Type: SUB JECT 'IDENTIFIED 

ITU: I I 

Claimed By: ,- 

SSN: 

Name: 

Squad: 


UNCLASSIFIED//FOR 


ONLY 











UNCLASSIFIED//FOR 



lo: 

Re: 


Washington Field 


From: Washington Field 
04/23/2012 


LEAD (s) : 

Set Lead 1: (Info) 

NEW YORK 

AT NEW YORK, NY 

For New York Field Office Squad CY-2's situational 
awareness. Read and clear. 


Set Lead 2: (Info) 

MNNE APQ HS 

AT MINNEAPOLIS. MN 

For Minneapolis Field Office Squad CT-3's situational 
awareness. See the info rmation regarding the possible true 
Identity of I l and alleged evidence of swatting activity 

documented on pa ges 4 - 6 of the enclosed communication. The 
full text of the f I 

report are enclosed in the accompanying !A. Read and clear. 


Set Lead 3: (Info) 

PHOENIX 


AT PHOENIX. AZ 

For Phoenix Field Office Squad C-2's situational 
awareness regarding dOxing victims and possible case subject 
residing in Phoenix's AOR. Read and clear. 

♦♦ 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: Cyber 


To: Charlotte 
To: Dallas 
To: Houston 
To: Los Angeles 
To: ; Litt.le Rock 
To: New York 

From: Washington Field 

CY-4/NVRA /Roorn 3E-128 

Contact: |_ 


Date: 05/11/2012 


Attn: 


Attn: 
Attn: 
Attn: 
Attn: 
Attn: 
Attn: 



b6 

b7C 


SSA 
SSA 
SSA 

Oyb <=>r fiSA CY-T 

ssa| 

SSA 


Approved By: 
Drafted By: 
Case ID #J 


Title: 


kcb 


b6 

b7C 


I 


b7E 


UGNAZI; 

TEAM DIVERSITY; 
DC.GOV - VICTIM; 
COMPUTER INTRUSION 


- CRIMINAL 


Synopsis: To docu ment notification and liaison contact made with 
Special Agent (SA) I I 
Office of Inspector General (OIG)on 05/11/2012. 


b6 

hlC 


b6 


Attachment: E-mail communication from Supervisory Special Agent (SSA) b7c 
I regarding a distrib uted denial of service attack (DDoS) of b7E 
th ^ ~| web site dated 05/11/2012. 

1 via UNff T e- 
web 


Details: On 05/11/2012,SSA[ 


Ic ontacted SSA 


mail advising of a .DDoS attack of the 
page apparently conducted by membe rs or "uoNazi", an ciucurfg 
individuals utilizing the monikers [ 


SSA 


]respectively. 

On this same date, via e-maii and telephone conversations, 


b6 

b7C 

b7E 


advised 


UNCLASSIFIED 


liaison contacts of this 

131kbecl.wpd 


b6 

b7C 












t % 


* * 




UNCLASSIFIED 


Was hington Field 
105/11/2012 


possible DDoS. SA|_[later confirmed their web s ite had in .fact 

been DDoSed but was now currently uo and running. SA 





prosecutive opinion. SA 




once 


e nas a fcetter understanding of the incident. 


SA| _| advised the ! _I had network 

■infrast-nirtin-p at thrp^ lo ca tions in cluding 

_I SA| I further advised through open 

source research he identified Twitter feeds of individuals claiming 
responsibility for the DDoS of his nrcarviviat-inn—WF will, continue 
coordination efforts with the on this matter. 


On 05/11/2012, SSA I I forwarded a copy'of the attached b6 

e-mail thread related to this incident to all identified field offices b7c 
with potential equities in this matter for their situational 
awareness. 


UNCLASSIFIED 
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UNCLASSIFIED 


To: 
Re: 

> 


Cyber From: Was hington Field 

I 05/11/2012 


Set Lead 1: (Info) 


CYBER 

AT WASHINGTON. DC 

For information. 


Set Lead 2: (Info) 

CHARLOTTE 

AT CHARLOTTE. NC 

For information. 


Set Lead 3: (Info) 

DALLAS 

AT DALLAS. TX 

For Information. 


Set Lead 4: (Info) 

HOUSTON 

AT HOUSTON. TX 

For Information. 

UNCLASSIFIED 
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UNCLASSIFIED 


To: 

Re: 


Cvber From: 


J2a,shington Field 
05/11/2012 


b7E 


Set Lead 5: (Info) 


LOS ANGELES 

AT LOS ANGELES, CA 

For -information. 


Set Lead 6: (Info) 


- LITTLE ROCK 

AT LITTLE ROCK. AR 

For information. 


Set Lead 7: (Info) 

NEW YORK 

AT NEW YORK. NY 

For information. 


♦♦ 
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From: 

Sent: 

To: 


Subject: 


See the below re a confirme d DDoS of theI 
members of UGNazi to includJ ——— 
infrastructure in three plafe including| 


locations and which were effected and will get back to me. 


I website purportedly conducted by 
|oiG POC advised they had 
He is checking to determine the other 


SSA|_ 

FBI/WFO/NVRA/C Y-4 

ko) 

_kc) 

703.686.6010 (F) 


----- Original Messa 
From: 

Sent: Friday. Mav 11. 2012 9:49 AM 


Subject: RE: 


FBI/WFO/NVRA/CY-4 
(0 
(C 

703.686.6010 (F) 
-----Original Message 


Sent: Frida 


Subject: Re 











b7E 










I am a Cyber Squad Supervisor in the WF Office and the l 
appreciate any information you have on the subjects involved in the 


is in mv AQR, I 


I can be reached 


and Bb[ 


] Thanks in advance for your assistance. 


—--- Original Message 
From: I 
To: | 

Cc: 


Sent: Fri Maj 
Subject: Re: 

11 07:51:38 2012 





Please see below in regards to a ODoS attack attributed to 



b6 

b7C 


frs cur rently down due to DDoS a ttack byf 
] I believe I have PII for[~ 


provide contact info for the agent looking into 
at the office and I will be out until May 21. 


Twitter accounts for individuals captioned above are: 


? My notes from today\s meeting are 


b7E 


b6 

b7C 

b6 

b7C 

b7E 


he 

hlC 


he 

hlC 

hlE 


and members of UGNazi to include b6 
>o in clude name and home address. Can you b7c 


b7E 


he 

hlC 


I'll keep you updated as info comes in. 


b6 

b7C 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To : Washington Field 

From: Washington Field 

CY4/NVRA _ 

Contact: 


Approved By 
Drafted By: 


Date: 05/07/2012 


Attn: CY-4 


Case ID #: 



l»\U 


j S'Hi1*0 


Pending) 


Title: UGNAZI - UGNAZI; 

TEAM-DIVERSITY; 

DC GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 

Synopsis: Requesting a STATS sub file to be opened. 

Details: Writer requesting a STATS sub file to be opened under 
captioned case in order to record all the statistical 
accomplishments. 


O&A (Main/£u9 > 

Closed: ( G+ y / c i / c6 

Class & Alpha _1--WF-_ 

Source _L A 
CPI Codes (D^n^r ■ 
12) ££S££Z22. 

PI _/ Full _\ 

Begins_ / / Expir es. 

Assign To J L— 


es_/__/_ r tT f\ <) 


UNCLASSIFIED 


Li (U STc. 


ec 








U.S. Department of Justice 




Federal Bureau of Investigation 


In Reply. Please Refer to 
File No. r ~ 


Northern Virginia Resident Agency 
9325 Discovery Blvd. 

Manassas, VA 20109 

May 2, 2012 


Long Beach Police Department 
Computer Crimes Detail 


RE: Distributed Denial of Service (DDOS) attack on DC.gov website 
from 4/18/2012 to 4/19/2012. 


Dear Detective 


On 4/20/2012, the FBI Washington Field Office received 
information that the P C's website. DC. gov, was ytnder DDOS at tack. 


FBI Special Agent (SA) 

Chief Technology Officer, Office of 


talked to|_ 

e Chief Technology Officer 

(OCTO), Government of the District of C olumbia, 441. 4 th St. NW, 






Washington, DC 20001, te lephone number: 


telephone the same day.. [ 


via 


] reported DC.gov website was 


under Distributed Denial of Service (DDOS) attack since 4/18/2012 
6:45pm, 25 hours into the attack, OCTO was able to restore the 
website and contained the DDOS attack. OCTO did n ot detect any 


intrusions into DC government's computer network. [_ 

SA I ~| an email in which contained postings on twitter.com, 
Pastebin.com, and a link to te am-diversitv.net. within the 
twitter postings, user account \ 


sent 


J 


\ claimed taking down DC 
New York City, and NASDAQ websites.' In a twitter 


government, 

posting between __ 

report er from dcist.com.L 
him at |_ 


Jtol df 


1 who 


% 


o contact 


_] to discuss the DDOS attacks on 

dc.gov website. Further search in twitter postings revealed a 
link to Pastebin.com posting which posted DC city mayor Vincent C 
Gray's personal identification information (PIT). 


On 4/20/2012, writ er talked to DC Metropo litan Police 
Departm ent Task Force Office T I telephone 

number: I t via telephone. | [stated the MPD was 

aware of the leak of DC Mayor's PIT. The leaked PII was not 
accurate and some information were outdated. 


b6 

b7C 


b6 

b7C 


b6 

b7C 


Internet search on |_| 

I Ir evealed two hacker group UGNazi, with website at 

UGNazi.com, and Team Diversity at team-diversity.net. UGNazi.c om 
listed its members as| 1 


b6 

b7C 












Team-Divers ity.net listed its members as 


Following items are attached to this Letter: a CD 
contained screen shots of twitter postings and online articles 
regarding DDOS attack on DC.gov, a CD contained PCAP file, and a 
CD contained firewall log on DDOS attack. 


The above information is provided to you for action as 



Sincerely, 


Ronald T Hosko 
Special- Agent in Charge 


By: 



Supervisory Special Agent 
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' . UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2012 

To: Washington Field Attn: CY4 


From: Washington Field 
CY4/NVRA 
Contact: 

Approved By: 

Drafted By: 

Case ID #: 



W° t ll 

(I $[ir/vh. 


Pending) 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 

DC GOV - VITIM; 

COMPUTER INTRUSION - CRIMINAL 


Synopsis: Documenting finding on[ 


Details: On 5/2/2012. FBI Task Force O fficer (TFO), Long Beach 

Police Department Sgt. I I contacted writer via email 

and provided following information: 


was arrested for numberous 


computer related crimes by the Long Beach Police Department 
(LBPD) and is due in court later in May 2012. He has been 
positively identified and search warrants have been served, 
of his compu ters are in LBPD cus tody. The handlin g LBPD 

te lephone number: 


Some 


Detective i s 

] has done lots of work on £ 


and his friends. 


s personal information are following: 


DOB: I 

Ce11 pho ne:T 


Address; 


Subjects Mother : 


Address: 


Employer: 

t 

Work PhoneT 

_ 1 - 1 

Cell: ~ 

J 

UNCLASSIFIED 


be 

blC 


b7E 


b6 

b7C 

b6 

b7C 

b6 

blC 


be 

blC 










UNCLASSIFIED 


Washington Field From:' Washington Field 
I 05/15/2012 



On 5/3/2012/ TFOf | contacted writer via email and 

provided a list of the subjects who were identified by Detective 
I The following list was com piled from the SWATTING 
and ID theft case Detective I I is investigating: 

AKA j I _ ’ 

Nameil I 

D0B:r-1- 1 

M/W I' j. _. 

Address: I 



Twitter: _ I _ 

Fac ebook__ 

YouTube: | (videos show DDoS of 

TacoBell. com and theft of Xbox game, tags.) 

Web page: I l(Possibly contains virus) Site shows 

members arel ~ 

Groups: | ~~| - 1 

Notes: I have several PayPal transactions regarding the purchase 
of VPN accounts. Search w arrant served on residence in Nov ember 
2011 and computers taken. 


|__| Due t 

the time, no case was filed. 


















* ^ 'V 


* 9 


UNCLASSIFIED 


To: Washington Fiel d From: Washington Field 


Re: 


05/15/2012 


b7E 



UNCLASSIFIED 






















Home: 

AIM: 

ISP: 

Notes: 


AKA: 

Name 

DOB: 

M/W 


Address 
AIM: 


NotesTI 


AKA: 

Name 

DOB: 

M/W 


Address 




Address 























UNCLASSIFIED 


To: 

Re: 


Washington Field 
/ 


From: Washington Field 
05/.15/2012 


[ 


On .5/4/2012, writer received a email from SA 
] Los Angeles Division. A copy of LBPD report on [ 


was 


attached to the email. The LBPD report was prepared by Detective 
land it detailed the investigation conducted for 


♦♦ 


UNCLASSIFIED 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 


Date: 05/15/2012 


To : Baltimore 


Attn : Cyber Sguad 


From: Washington Field 
CY4/NVRA |- 

Contact: 


Approved By: 
Drafted By: 


os/n/ifiu* 


Case ID 
Title: 


# 


(Pending) 


UGNAZI - UGNAZI; .TEAM-DIVERSITY; 
DC GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 


Synopsis: Request concurrence from Baltimore Field Office to 
conduct interview in Annapolis, MD. 


Details: On 4/20/2012, Washington Filed Office (WFO) CY-4 

received information that the DC's website, DC.gov, was under 
Distributed Denial of Service (DDoS) attack. During the course 
of the investigation, writer determined the members of hacker 
group UGNazi and Team Diversity w ere b ehind attac k. Group membe r 

1 DOB : f 1 address: I I 

were positively identified 


by Long Beach Police Department (LBPD) during their 
investigation. LBPD provided WFO with information on 
well as severalI ~ 


as 


J 


resides in 


The following individual 


AKA: 

Name 

DOB: 

M/W - 

Addr ess: 
Home J 
AIM: I 
NotesTI 


b6 

b7C 


b7E 


b6 " 
b7C 


b6 

b7C 


UNCLASSIFIED 


YY\ i_\ rkw Vi 










* 


L->“ 


TO: 

Re: 


UNCLASSIFIED 


Baltimore From : Washington Field 


2£j: 


05/15/2012 


b7E 


Writer intends to interview 


to determine his 


involvement in the DDoS attack- against DC.gov and any other 
illegal online, activities. 


b6 

b7C 


> * 


UNCLASSIFIED 


2 







UNCLASSIFIED 


To: Baltimore From: Washington Field 
Re: | I 05/15/2012 


Set Lead 1: (Info) 

BALTIMORE 

AT CYBER SQUAD 

Reques ting concurren ce to travel to 
Annapolis, MD to interview 

♦♦ 


UNCLASSIFIED 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Washington Field 


Date: 


05/18/2012 


Attn: 


SA |_ 

CY-04 




From: New York 

CY-02 

Contact: 

Approved By: 
Drafted By: _ 


Case ID # 


Title: OPERATION CARDSROP 

UGNAZI - UGNAZI; TEAM-DIVERSITY; 

DC GOV - VITIM; 

COMPUTER INTRUSION - CRIMINAL 

Synopsis: To request Washington Field to delay contact with 
-individuals associated with UG Nazi. 

* 

Administrative: The following was emailed on May 17, 2012 as a 
follow up to a phone conversation. 

From: I 1 

Sen t: Thursday, May 17, 2012 2:29 PM _ 

To: I — I 


Subject: RE: Interviews 
Good afternoon | | 

X appreciate the heads up regarding the information below. 

As per our phone conversation, please wait until the coordinated 
takedown, scheduled for June 26, 2012, to contact these guys. 

t _ 

We are unfamiliar with I_I at the moment, but is a 

registered member of our UC .forum. Many of the UG guys nave 


UNCLASSIFIED 






UNCLASSIFIED 



d From: New .York 
05/18/2012 


direct connection with our UC forum and it will not be advisable 
to approach them prior to June 26. 


Lastly, |_|is out of the office and will be back on Monday. 

HeMl work on getting those logs to you next week. 

Tha nks! 

□ 

From: | | 

Sen t: Thursday. Mav 17. 2012 8:42 AM _ 

To: 

Cc: . _ ^ _ 

Subject: interviews 

Hev guvs. 1 got a list of names fr om -Iona beac h pd det 
I I Those are the ppl Det I Iden tified in his 

investigation into l I and they associated with I I online. 

I notice there are couple of guys live close by to dc, would like 
to interview them regarding their role in DC.gov attack and any 
Other Illegal activities. Just want to be a team p layer and make 
sure not stepping over each other. Oh by the way, I l did you 
get chance to sent out those logs from NY.gov and NASDAQ.com 
attacks? thanks 

AKA: I 
Name 
DOB: 

M/W 1 - 1 _ 

Addr ess: I __ 

Home :| [ 

AIM: I _I_:_ 

Notes: 

AKA: I i 

Name 

DOB: 

M/W I-!-1- 

AddressjJ_ 

Home :| I- 

AIM: K_I_ 

Notes:! 


UNCLASSIFIED 


2 







UNCLASSIFIED 


To: 

Re: 


Washington Field 


From: New York 
05 A 8/2 01.2 


Details: New York respectfully requests Washington Field to 
delay contact with the individuals associated with UGNazi, to 
include the members mentioned above. 


UNCLASSIFIED 






UNCLASSIFIED 



To: 

Re: 


Washington Fiel d From: New York 
| 05/18/2012 


LEAD(s): 

Set Lead 1: (Info) 

WASHINGTON FIELD 

AT WASHINGTON. DO 

New York respectfully requests Washington Field to 
delay contact with the individuals associated,with UGNazi, to 
•include the members mentioned above. 

♦♦ 


UNCLASSIFIED 


b7E 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To : Washington Field 

From: Washington Field 
CY4/NVRA 
Contact; 


Date: 05/22/2012 


Attn: CY-4 


Approved By: 
Drafted Byj^ 
Case ID #: 


i 6 ie> <*5/2.4/^ 




Title: 


UGNAZI - UGNAZI; 
DC GOV - VICTIM; 


ending) 

UBending) 


TEAM-DIVERSITY; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting investigation conducted. 

Detail s : From 5/2/ 2012 to 5/18/2012, through twitter postings by 

I at I I and third party reporting, writer learned 

hacker group UGNazi was involved in attacks on IC3.gov, ed.gov, 
Washington Military Department website, ca.gov. Government of 
Anguilla (gov.ia), visa.com, cia.gov, wtf.com, Discover.com. 

Pertaining to attack on wtf.com, information indicated 
UGNazi hacked its registration information. Writer did a 
Domaintools lookup on wtf.com and find following as the 
registration information: 

Registrant: 

UGNazi, Inc. 

ATTN WTF.COM 

care of Network Solutions 
PO Box 459 

Drums, PA. US 18222 - -. 

Administrative Contact, Technical Contact:_| 


Created: 1995-08-12 
Expires: 2019-08-11 
Updated: 2012^05-17 

UNCLASSIFIED 


b6 

b7C 


b7E 


b6 

b7C 


b6 

b7C 












UNCLASSIFIED 


To: 

Re: 


Washincrhon 

> 


From: Washington Field 
5/22/2012 


Writer contacted I 

Network Solutions, telephone, number:L 


1 Investigat or at 


J 


_ _ _Ltax number: 703-668-5959, 

via telephone on 5/22/2012. |_(confirmed that wtf.com is 

registered through Network Solutions; the real registrant 
information and domain management account login information are 
available upon request through a subpoena. 


♦♦ 


UNCLASSIFIED 
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UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Washington Field 

From: Washington Field 
CY4/NVRA 

Contact: 


Date: 05/24/2012 


Attn: CY-4 


Approved By: 
Drafted By 
Case ID #: 


Title: 


Mrfe / 

tending) 

upending) 


b6 

b7C 


b7E 


UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting AUSA's response. 

Details: On 5/17/2012, writer submitted a subpoena request for 
registrant inf ormation on wft.com to Assis tant US Attorney 
I 1 for approval. On 5/24/2012. 1 I con tact write 

via telephone to advised prosecutor in Washington DC 


J*~[ __| Writer will fo rward all the inform ation on 

wtf.com intru sion to Detective [ 


l 


b6 

b7C 

b5 


email: 


1 tel ephone: 


Police Department for hxs case. 


J Long Beach 


♦♦ 


UNCLASSIFIED 











FD-302 (Rev, J<H-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of trwoscription 06 /08/2012 

_ From 5/2/ 2012 to 5/18/2012, through twitter postings by 

I at I I and third party reporting, writer learned hacker 

group UGNazi was involved in attacks on IC3.gOv, ed.gOv, Washington 
Military Department website, ca.gov, Government of Anguilla 
(gov.ia), visa.com, cia.gov, wtf.com, Discover.com. 

Pertaining to attack on wtf.com, writer conducted another 
domain lookup on wtf.com on 5/24/2012 and find following as the 
registration information: 

Registrant: 

Wtf, Inc. 

4550 Ocala Drive 
Parma, OH 44134 
US 


,_, On 4/24/2012,1 _.___._ J 

I I telephone number: |__| email: | | 

was interviewed via telephone. After being advised of the identity 
of the interviewing agent and the nature of the interview, 
provided the following information: 

I I noticed his website wtf.com was redirected to 

ugnazi.com on 5/16/2012 and at same time he could not access his 
domain management ac count at N etwork Solution and his emails with 
Cox.net and Google. I I has phone and internet services 

through Cox.net, when he contacted Cox, he found out his account 
was compromi sed, and call f or warding was setup so all his ca ll were 
forwarded to | I at | 

|_| tried to call himself, but instead of going to his voice 

mail like it used to, he report ed someone picked up the call and 
did not say anything. I \ also recalled a backup email for 

his Cox account wa s changed to an email beginning with I I 

ending in ".com". I I stated his domain management account at 

Network Solution was compromised and wtf.c om registr ant information 
was c hanged on 5/17/2012 around 12:30 am. Ita lked with 

I I LNU at Network Solution, 570-708-8700. ext l _| Network 
Soluti on generated a service ticket for this incident, ticket 
number| | Additionally, two technical contacts were , , 

______ 

investigation on 6/5/2012_*t Washington DC_(via facsimile) 


by SA 


Date dictated 



This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to he distributed outside your agency. I \ f ffl / o 

y) /bffll' 









FD-302a(Rcv.J(K-95) 


b7E 


Ccotouatioa of FD-3Q2 of 


,Oo 6/5/2012 


created, as far as 
and the other was ' 


coul d recall, one was \~. 


at UGNazi.com Inc. 


stated 


b6 

b7C 

b6 

b7C 


he has no relationship with any members of UGNazi and doesn't know 


why he was targeted, 
reinstated. 


All of his accounts have since been 


Gmail an- 


Jf 


is willing to provide the login logs for his 
Network Solutions accounts. 


b6 

b7C 















(Rev. 05-01-200$) 


i 

0 0 

UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/12/2012 

To: Washington Field Attn: CY-4 

From: Washington Field 
CY4/NVRA |- 

Contact: 


Approved By: 
Drafted By: 


Case ID #: 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 

COMPUTER INTRUSION - CRIMINAL 


b6 

b7C 


2b(ajfj fj&b 

« L ) ini' 

(Pending) 




b7E 


Synopsis: Reporting investigation conducted. 


Details: On 6/7/2012, writer received an email with spreads heet 
attachment named "Login History.xls" from 
Investigator at Network Solutio ns (NS), 

I ~1 The spreadsheet contained login 

information for domain management account for wtf.com. NS 
released this information to the FBI u pon receiving a written 
consent from the owner of the wtf.com, 
following is the login history: 


]. The 


Login Hi$toxy for Account n 


Date 

Succe$$ ] 

Person-Ore ID IP Address 

Relationship 

5/17/2012 17:12 

FALSE 


Primary 

5/17/2012 17:10 

FALSE 


Primary 

5/17/2012 17:09 

FALSE 


Primary 

5/17/2012 15:33 

FALSE 


Primary 

5/17/2012 15:31 

FALSE 


Primary 

5/17/2012 15:30 

FALSE 


Primary 

5/17/2012 15:30 

FALSE 


Primary 

5/17/2012 15:29 

FALSE 


Primary 

5/17/20122:00 

TRUE 


Primary 

5/17/20122:00 

FALSE 


Primary 

5/17/2012 1:48 

TRUE 


Primary 


b6 

b7C 


b6 

b7C 


UNCLASSIFIED 


lj 1701 l-ec 











UNCLASSIFIED 



To: Washington Field From: Washington Field 
Re: I 06/12/2012 




b7E 


5/17/20120:17 

TRUE 

5/17/20120:07 

TRUE 

5/17/2012 0:07 

FALSE 

5/17/20120:06 

TRUE 

5/17/2012 0:04 

TRUE 

5/16/2012 23:5.9 

TRUE v 

5/16/2012 21:53 

TRUE 

5/16/2012 21:14 

TRUE 

5/16/2012 21:13 

FALSE 

5/16/2012 21:04 

TRUE 

5/16/2012 20:55 

TRUE 

5/16/201.2 20:45 

TRUE 

5/1.6/2012 20:44 

TRUE 

5/16/201220:40 

TRUE 

5/16/2012 19:37 

TRUE 

5/16/2012 19:09 

TRUE 

5/16/2012 15:32 

TRUE 

5/16/2012 12:32 

TRUE 

5/16/2012 12:32 

FALSE 

5/16/2012 1:51 

TRUE 

5/16/2012 0:23 

TRUE 

5/16/2012 0:19 

TRUE 

5/16/20120:19 

TRUE - 

2/10/2012 17:24 

TRUE 

2/10/2012 17:19 

FALSE 

2/10/2012 17:19 

FALSE 


reported 


Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Primary 

Tech 

Primary 

Primary 

Primary 

Primary 

Tech 

Tech 

Tech 

Tech 

Tech 

Tech 

Tech 

Primary 

Primary 

Primary 


is his home IP address. 



resolved 


to 


IP addresses 


resolved to 


b6 

b7C 


b6 

b7C 


b6 

b7C 


UNCLASSIFIED 


2 







UNCLASSIFIED 


To: 

Re: 


Washington Field 


From: Washington Field 
06/12/2012 


IP address 


resolved to 


__ There are three Person-Ora ID associate with all the 

logins, |___I NS indicated these are the 

user account TDs; each contained user personal information. 
Information on these user accounts are pending from NS. 


♦♦ 


UNCLASSIFIED 







